ZTNA
Zero-trust network access: per-app SSO, device-posture, mTLS, no VPN required.
What it is
ZTNA replaces the VPN model. Each user/device gets per-app authorisation: a request must match the user's group, the device's posture, and the app's policy. Sessions terminate at the edge and the origin only sees authenticated, decrypted traffic over mTLS.
When to use it
- Replace VPN for remote workforce.
- Publish internal apps with no public IP.
- Enforce posture (OS version, disk encryption) before granting access.
Quickstart
asc shield ztna apps create wiki --domain wiki.example.com --policy 'group:eng and device.posture.encrypted'client.shield.ztna.apps.create(name='wiki', domain='wiki.example.com', policy='group:eng')await client.shield.ztna.apps.create({ name: 'wiki', domain: 'wiki.example.com', policy: 'group:eng' });Limits & quotas
| Limit | Default | Burst | Notes |
|---|---|---|---|
| Per user-seat | $7 / user-mo | — | |
| Identity providers | OIDC / SAML 2.0 | — |
Pricing
See pricing. Pay-as-you-go, billed monthly via Stripe.
API surface
POST /v1/shield/ztna/apps
Required scope(s): shield:write. See Scopes.
Security
All access is authenticated and scoped. See Auth & scopes and Network controls.